There is a demand for a technology of analyzing communication processing executed by an information processing apparatus (such as a computer) that is connected to a communication network (hereinafter simply referred to as an “information communication apparatus”), in recent years.
For example, such analysis of communication processing is used for analysis of behavior of an information communication apparatus during development and operation stages, or analysis of behavior of a communication processing program executed on an information communication apparatus.
There is a particular demand in recent years for a technology for analyzing a content of improper communication processing caused by an improper computer program (a computer program includes various types of software programs and may be hereinafter simply referred to as a “program”), such as a virus, that is executed on an information communication apparatus.
For example, when such an improper program (hereinafter referred to as “malware”) executes various types of communication processing by using an advanced encryption scheme such as public key cryptography, it is difficult to decrypt (decode) a communication record (communication data).
For example, it is assumed that an information communication apparatus as an analysis target employs a specific cryptographic communication protocol (for example, assuming a case where a communication channel encrypted by the specific cryptographic communication protocol is established between information communication apparatuses being as analysis targets). In this case, an encryption key, authentication information, and the like related to the cryptographic communication protocol is securely exchanged between the communication apparatuses. For example, the following cryptographic communication protocols may be used as the specific cryptographic communication protocol.
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Internet Key Exchange (IKE) in Security Architecture for Internet Protocol (IPSec)
Secure Shell (SSH)
Generally, it is not easy to decrypt encrypted communication data transmitted and received in accordance with such a cryptographic communication protocol. Accordingly, a technology of collecting information about such cryptographic communication by analyzing an information communication apparatus (including various types of software programs executed on the information communication apparatus) executing the cryptographic communication is under study.
As an example of such a technology for analyzing an information communication apparatus, a technique of analyzing behavior of a specific program (for example, malware) on an information communication apparatus while running the program (hereinafter referred to as a “live forensics technique”) is known. Such a live forensics technique executes various types of investigations and analyses on behavior of an apparatus (or a system) by collecting various types of information about the apparatus while the apparatus is in an operating state. For example, such a live forensics technique is able to investigate data, a program being executed, and the like stored in a volatile storage device (for example, a memory), while an information processing apparatus is in operation.
For example, the following references are disclosed in relation to the aforementioned technology of analyzing behavior of an information processing apparatus, including communication processing.
PTL 1 (Japanese Translation of PCT International Application Publication No. 2014-514651) discloses a technology related to malware analysis. In the technology disclosed in PTL 1, a virtual machine monitor intercepts (acquires) various types of requests from an information processing apparatus implemented by use of a virtual machine, and transfers the information to a security agent. The security agent determines whether or not a program executing such a request is malware, in accordance with the acquired information. The virtual machine monitor exists in a layer lower than the virtual machine, and therefore is able to acquire all requests executed on the virtual machine.
PTL 2 (Japanese Unexamined Patent Application Publication No. 2013-114637) discloses a technology related to malware analysis. The technology disclosed in PTL 2 extracts an encryption key used by malware from a memory space in an apparatus executing the malware, by analyzing a trace in execution of the malware and data referred to in an execution process. The technology disclosed in PTL 2 decrypts communication encrypted by the malware, by use of the extracted encryption key.
PTL 3 (Japanese Translation of PCT International Application Publication No. 2012-511847) discloses a technology of classifying cryptographic communication executed by malware and the like. The technology disclosed in PTL 3 detects unapproved cryptographic communication by comparing encrypted communication executed at an analysis target apparatus with preregistered approved encrypted communication. Further, when detecting unapproved cryptographic communication, the technology disclosed in PTL 3 blocks (suspends) such cryptographic communication.
PTL 4 (Japanese Unexamined Patent Application Publication No. 2009-037545) discloses a technology of classifying and distinguishing malware, in accordance with similarity of malware. The technology disclosed in PTL 4 classifies and distinguishes malware, in accordance with a correlation between micro analysis analyzing an execution code itself of malware and macro analysis analyzing communication related to the malware. As the micro analysis, the technology disclosed in PTL 4 discloses a configuration extracting an execution code of malware from a memory dumped at a predetermined timing in an analysis target machine, and disassembling the code.
PTL 5 (Japanese Unexamined Patent Application Publication No. 2006-279938) discloses a technology related to a cryptographic communication decoding apparatus that is arranged between two communication apparatuses and analyzes cryptographic communication between the communication apparatuses. The cryptographic communication decoding apparatus disclosed in PTL 5 analyzes communication data between two communication apparatuses and exchanges an encryption key with each of the communication apparatuses at a timing when key exchange in cryptographic communication (IPSec) is executed. Specifically, the cryptographic communication decoding apparatus disclosed in PTL 5 is arranged between the two communication apparatuses as an intermediary, and exchanges an encryption key with one of the communication apparatuses while also exchanging an encryption key with the other communication apparatus. Thus, the apparatus disclosed in PTL 5 is involved in cryptographic communication executed between the two communication apparatuses, decodes cryptographic communication data transmitted from one of the communication apparatuses, and transmits the data to a monitoring apparatus while encrypting the data again and transmitting the data to the other communication apparatus.
PTL 6 (Japanese Translation of PCT International Application Publication No. 2013-508823) discloses a technology of detecting malware by monitoring generation of a link file in a computer. The technology disclosed in PTL 6 analyzes information about a process of creating a link to various types of resources existing inside and outside the computer, and information about a referent of the created link. In accordance with the analysis result, the technology disclosed in PTL 6 executes a countermeasure process against malware and suppresses access to the link. The technology disclosed in PTL 6 is able to delete, edit, and move a created link file.
PTL 7 (Japanese Translation of PCT International Application Publication No. 2013-507722) discloses a technology of detecting malware in accordance with behavior of a specific file executed on an information processing apparatus. The technology disclosed in PTL 7 adjusts an aggression level of a specific file in accordance with a rate of spread (a degree of distribution in an actual network environment) of the file. The technology disclosed in PTL 7 determines whether behavior of a specific file corresponds to behavior of malware, by use of an aggression level with respect to the file.
PTL 8 (Japanese Unexamined Patent Application Publication No. 2011-154727) discloses a technology of allowing malware to access a virtual network and acquiring information about an operation and communication executed by the malware. The technology disclosed in PTL 8 executes malware in a malware execution environment connected to a virtual network unit. The virtual network unit receives communication from the malware execution environment, analyzes a communication protocol, generates an appropriate response corresponding to the protocol, and transmits the response to the malware execution environment. In accordance with a content of communication from the malware execution environment, the technology disclosed in PTL 8 connects such communication to an actual Internet environment.
PTL 9 (Japanese Unexamined Patent Application Publication No. 2013-105366) discloses a technology of adjusting a time progression rate in an execution environment of a program being active only at a specific timing or a date and time, in order to analyze such a program.
In addition, there is a reference as follows related to a technology of decoding encrypted data.
PTL 10 (Japanese Unexamined Patent Application Publication No. 2007-116752) discloses a technology of confirming correctness of decoded data obtained by decoding a ciphertext. When decoding data encrypted by use of a pseudorandom number, the technology disclosed in PTL 10 determines correctness of the decoded data by comparing entropy of the decoded data with a specific reference value.